Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5317
Views
20
Helpful
6
Replies

ISE 2.7 Patch 2 : Unable to load Context Visibility page

mmisonne
Level 2
Level 2

‎12-30-2020 04:39 AM

I have a 6 nodes deployement : 2 PAN, 2 MNT and 2 PSN ( Physical appliance)
Each time I restart the ADMIN (Master) node, I cannot go to context visibility.
I have this error :
"unable to load Context Visibility page. Ensure that reverse DNS lookup is configured for all Cisco ISE nodes in your distributed deployment in the DNS server(s). Exception: blocked by: [SERVICE_UNAVAILABLE/1/state not recovered / initialized];
I have to do the commande "Application config ise", and reset context visibility and the 2 admin node. After that, everithing is working fine, until I reset the Admin node.

However, the DNS and reverse DNS is OK for all 6 node.

I have not this pb , with the other admin node.
i.e: If I promote the other admin node, I have not this pb when I restart it.
I also reinstall the first admin node from scratch.

 

Can someone help me ?

1 person had this problem
0 Helpful
6 Replies 6

andy!doesnt!like!uucp
Spotlight
Spotlight

‎12-30-2020 06:27 AM

Hi

why dont u want to call the TAC on the subject (unless u r able to find any relevant bug-id on CCO)? did u try any of those options?

btw here is very familiar issue with workaround for 2.1 SW i've found in 1 min:

https://community.cisco.com/t5/cisco-bug-discussions/cscvd38251-unable-to-load-context-visibility-page/td-p/3067112

mmisonne
Level 2
Level 2
In response to andy!doesnt!like!uucp

‎12-30-2020 07:51 AM

HI, I am already involved with TAC. But till now ,they did not find the issue.

This is strange that the pb is not symetric: When the PAN-Node1 is master, I have this pb, When the Pan Node 2 is master , I do not have  this pb. Allthough I reimage the Pan-Node1.

The pb has  2 other consequence: 

    The home page display "no date available " in some dashlet.

     And the backup, could not be done.

I guess there is  maybe some issue with the client environnement , between the 2 pans.

 

Michel

 

 

 

0 Helpful

andy!doesnt!like!uucp
Spotlight
Spotlight
In response to mmisonne

‎12-30-2020 09:41 AM

did u notice within the above reference the certificates of PAN nodes must populate trusted certificate store in the cube to get rid of issue? i'd recommend u verify this approach & let us know.

mmisonne
Level 2
Level 2
In response to andy!doesnt!like!uucp

‎12-31-2020 12:16 AM

I tried that. Same issue.

I think this is not necessary because ISE PAN do'nt use self signed certificate. They are generate by the client PKI.

0 Helpful

Marcelo Morais
VIP
VIP
In response to mmisonne

‎12-30-2020 10:46 PM

Hi @mmisonne 

 

 try to Replace the ISE Root Certificate Chain by:

1. Administration > System > Certificates > Certificate Authority > Internal CA Settings:
 click the Enable Certificate Authority button
2. Administration > System > Certificates > Certificate Management > Certificate Signing Requests:
 Certificate(s) will be used for: ISE Root CA
 click the Replace ISE Root CA Certificate Chain button
3. Administration > System > Certificates > Certificate Authority > Internal CA Settings:
click the Disable Certificate Authority button

Hope this helps.

0 Helpful

mmisonne
Level 2
Level 2
In response to Marcelo Morais

‎12-31-2020 12:28 AM

Hi Marcello,

I already tried that.

Indeed, it solve the ISE messaging pb:

Before, I could not use Ise messaging for inter-node syslogs.

And  I had lots of queue-link error in the alarm Dashboard.

But unfortunately, it does not solve my Context visibility pb.

 

 

0 Helpful
Customers Also Viewed These Support Documents